Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34831 affects the Ruby Rack library, specifically the Rack::Files#fail method. This vulnerability stems from an incorrect calculation of the Content-Length header when handling multibyte UTF-8 characters in response bodies. This can lead to response desynchronization in clients relying on the header, potentially causing parsing errors or unexpected behavior. Affected versions are Rack 2.2.9 and earlier; the vulnerability is resolved in version 2.2.23.
The core issue lies in the Rack::Files#fail method using String#size instead of String#bytesize to determine the Content-Length header. When a request includes a non-existent path containing percent-encoded UTF-8 characters, the declared Content-Length becomes smaller than the actual number of bytes transmitted. This discrepancy can cause problems for clients that rely on the Content-Length header for accurate data consumption. While not a direct remote code execution vulnerability, it can lead to denial-of-service conditions or unexpected application behavior if clients misinterpret the response. The impact is primarily client-side, but widespread deployments of Rack could be affected.
CVE-2026-34831 was publicly disclosed on 2026-04-02. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not widely available, suggesting a relatively low probability of immediate exploitation. The EPSS score is likely to be low, reflecting the limited public information and lack of observed exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Rack version 2.2.23 or later, which corrects the Content-Length calculation. If upgrading is not immediately feasible, consider implementing a reverse proxy or WAF that can normalize HTTP responses and ensure accurate Content-Length headers. Carefully review application code that relies on the Content-Length header for data integrity and consider adding validation or error handling to gracefully handle potentially truncated responses. There are no specific Sigma or YARA rules applicable to this vulnerability as it's a header calculation issue.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher, as appropriate for your current version. This will correct the content length discrepancy in Rack::Files error responses.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34831 is a vulnerability in Ruby Rack where the Content-Length header is incorrectly calculated for multibyte UTF-8 characters, leading to response desynchronization.
You are affected if you are using Rack version 2.2.9 or earlier. Upgrade to 2.2.23 or later to mitigate the risk.
Upgrade to Rack version 2.2.23 or later. Consider using a reverse proxy or WAF to normalize HTTP responses as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-34831, but it's important to apply the fix proactively.
Refer to the Ruby Rack project's website and security advisories for the latest information and updates regarding CVE-2026-34831.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.